International E-news - April 2011



  1. CNIL’s new enforcement and audit strategy announced at PL&B’s Privacy Officers Network Roundtable with the CNIL in Paris
  2. EU Article 29 Data Protection Working Party finds New Zealand adequate
  3. New agreement on RFID use
  4. DP Authorities call for ambitious changes to legal framework
  5. Google agrees to be audited for the next 20 years
  6. Germany: Data Protection Officer cannot be replaced by outsourcing
  7. France: more publicity for penalties

1. CNIL’s new enforcement and audit strategy announced at PL&B’s Privacy Officers Network Roundtable with the CNIL in Paris

Yann Padova, Secretary General, the CNIL, France’s Data Protection Authority, announced at Privacy Laws & Business’s Privacy Officers Network Roundtable in Paris on 6th April details of the CNIL’s new enforcement strategy for the coming year.

CNIL audits have increased from around 100 in 2005 to an expected 400 in 2011 and would continue to increase. He listed video surveillance and health data as its top priorities for 2011. CNIL aims to carry out at least 150 inspections in the area of video surveillance, given its stronger powers in the area following adoption of a new law on 14th March this year. In relation to health data processing, the CNIL sees the protection of sensitive health data as extremely important and aims to focus its inspections on health care provider/suppliers in all stages of the health chain, including health care service professionals and insurance companies.

He explained that 50% of CNIL inspections taking place on an annual basis are from the CNIL’s pre-determined annual programme, 15% are in response to complaints, 20% are in cases which may lead to sanctions, and 15% are for issues in the news. 80-90% of audits are on companies rather than the public sector.

A more detailed article will be in the Privacy Laws & Business International Report, to be published at the end of this week.

2. EU Article 29 Data Protection Working Party finds New Zealand adequate

At their plenary session on 4-5 April, the EU Article 29 Data Protection Working Party adopted an Opinion that New Zealand’s data protection legislation provides an adequate level of protection in relation to the European Union Data Protection Directive. The WP noted that the New Zealand legislation preceded the Directive and was modeled on the OECD Guidelines. The Opinion now will be considered by the European Commission in making an official adequacy decision.

3. New agreement on RFID use

The European Commission, the European Network and Information Security Agency (ENISA) and the EU Data Protection Authorities have signed a voluntary agreement on Radio-frequency identification (RFID). The agreement, adopted on 6 April, establishes guidelines on how to address the data protection implications of smart tags, the use of which is expanding rapidly.

The agreement, "Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications", requires that companies to carry out a comprehensive assessment of privacy risks before they introduce a new smart tag application. The PIA Framework can be applied by all industry sectors that use smart tags.

Read more about this topic in the next issue of PL&B’s International Report.

4. DP Authorities call for ambitious changes to legal framework

The European Union DP Commissioners' resolution, adopted on 5 April, calls for a comprehensive data protection framework, which includes the law enforcement sector.

The Commissioners say that the efforts to modernise the legal frameworks in the EU, the Council of Europe and the Organisation for Economic Cooperation and Development should develop in synergy. As a first step, the Working Party on Police and Justice and the Article 29 Working Party will work together to integrate their EU related tasks in the coming year to reinforce the effectiveness of their advisory role.

The Commissioners want a real improvement in the data protection framework, offering effective data protection to individuals. Legislators need to be ambitious, they say.

5. Google agrees to be audited for the next 20 years

In the US, Google has settled a dispute with the Federal Trade Commission over it social network, Buzz, and failure to comply with US Safe Harbor rules. The FTC announced on 30 March that Google has agreed to settle charges that it used deceptive tactics with Google Buzz, and did not stick to its privacy policy, for example, it used information provided for Gmail for the purpose of social networking without the individuals’ consent. Google is now obliged to seek individuals’ consent ‘before sharing their information with third parties if Google changes its products or services in a way that results in information sharing that is contrary to any privacy promises made when the user’s information was collected’, and must establish and maintain a comprehensive privacy programme. Moreover, Google has agreed to have internal audits conducted by a third party every two years. This arrangement is for the next 20 years.

“When companies make privacy pledges, they need to honour them,” said Jon Leibowitz, Chairman of the FTC. “This is a tough settlement that ensures that Google will honour its commitments to consumers and build strong privacy protections into all of its operations."

6. Germany: Data Protection Officer cannot be replaced by outsourcing

On 23 March the Federal Labour Court in Germany ruled that the employment of an internal company data protection officer could not be terminated just because the company had decided to contract out the job. Under the German Federal Data Protection Act of 2010, a data protection officer’s employment can only be terminated for good cause, such as incompetence or misconduct. The ruling is that outsourcing the job is not a good cause. The employee had been hired as a data protection officer in 1992, and the employer wanted a replacement external appointee.

7. France: more publicity for penalties

A new law in France, published on 30 March, will enable CNIL, the data protection authority, to give more publicity to rulings against those who violate the data protection law. The law, which was adopted in response to rulings by the Conseil d’Etat, also limits the participation of the CNIL’s President and Vice-President in order to separate the investigative and judicial roles of the authority.

For further details on the Privacy Laws & Business International Newsletter, please click here.

Copyright Privacy Laws & Business 2011